1 P 2 KC Kazukuni Kobara 1 and Hideki Imai 1,2 1: Research Center for Information Security (RCIS) National Institute of Advanced Industrial Science (AIST)

Slides:



Advertisements
Similar presentations
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Advertisements

“Advanced Encryption Standard” & “Modes of Operation”
Biometrics based Cryptosystem Design. Cryptosystem A mechanism using which one can encode an information content to an incomprehensible form and also.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.
Dual System Encryption: Concept, History and Recent works Jongkil Kim.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Oblivious Transfer based on the McEliece Assumptions
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.
Public Key Algorithms 4/17/2017 M. Chatterjee.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Encryption Schemes Second Pass Brice Toth 21 November 2001.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011
0x1A Great Papers in Computer Security
Introduction to Public Key Cryptography
The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
8. Data Integrity Techniques
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography Lecture 8 Stefan Dziembowski
Application of Elliptic Curves to Cryptography
10/1/2015 9:38:06 AM1AIIS. OUTLINE Introduction Goals In Cryptography Secrete Key Cryptography Public Key Cryptograpgy Digital Signatures 2 10/1/2015.
Threshold PKC Shafi Goldwasser and Ran Canetti. Public Key Encryption [DH] A PKC consists of 3 PPT algorithms (G,E,D) - G(1 k ) outputs public key e,
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
Cryptography Lecture 9 Stefan Dziembowski
By Yernar.  Background  Key generation  Encryption  Decryption  Preset Bits  Example.
Week 10Complexity of Algorithms1 Hard Computational Problems Some computational problems are hard Despite a numerous attempts we do not know any efficient.
Some Number Theory Modulo Operation: Question: What is 12 mod 9?
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
§6 Linear Codes § 6.1 Classification of error control system § 6.2 Channel coding conception § 6.3 The generator and parity-check matrices § 6.5 Hamming.
ADVANTAGE of GENERATOR MATRIX:
Scott CH Huang COM 5336 Cryptography Lecture 6 Public Key Cryptography & RSA Scott CH Huang COM 5336 Cryptography Lecture 6.
1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Tae-Joon Kim Jong yun Jun
Introduction to Elliptic Curve Cryptography CSCI 5857: Encoding and Encryption.
INCS 741: Cryptography Overview and Basic Concepts.
Modified McEliece PKC Proposed at Asiacrypt 2000 Is Breakable with CPA Kazukuni Kobara and Hideki Imai The Univ. of Tokyo.
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
B504/I538: Introduction to Cryptography
Authenticated encryption
Group theory exercise.
Secrecy of (fixed-length) stream ciphers
Digital Signature Schemes and the Random Oracle Model
Background: Lattices and the Learning-with-Errors problem
Cryptography Lecture 6.
Cryptography Lecture 25.
Presentation transcript:

1 P 2 KC Kazukuni Kobara 1 and Hideki Imai 1,2 1: Research Center for Information Security (RCIS) National Institute of Advanced Industrial Science (AIST) 2: Chuo Univ.

2 P 2 KC ? Our proposal Personalized-Public-Key Cryptosystem Cryptosystem using personalized- public-keys

3 Typical Usage of Public-Key Cryptosystem Bob ’ s public-key Bob ’ s public-key Bob ’ s public-key Bob (Decrypter) Encrypters

4 We propose three usage modes for P 2 KC Distribution then Personalization (DP) mode Personalization then Distribution with Hidden PK (PDH) mode Personalization then Distribution with Open PK (PDO) mode

5 Distribution then Personalization (DP) Mode Bob (Decrypter) Bob ’ s public-key Personalized to Dave Personalized to Carol Personalized to Alice Personalization Delivery Encrypters

6 Personalized to Dave Personalized to Carol Personalized to Alice Personalization then Distribution with Hidden/Open PK (PDH/PDO) Modes Bob ’ s public-key Personalization Delivery Bob (Decrypter) Encrypters

7 Is there any advantage for personalizing PK Maybe, no for typical (number theoretic) PKCs such as RSA, ElGamal, ECC, DH, ECDH But definitely yes for a certain class of combinatorial PKCs Niederreiter/McEliece PKCs some of the Hidden Field Equations (HFE) based PKCs and the Lattice based PKCs as long as ciphertexts are given by the combination of public-key components according to the plaintexts and both the public-key and plaintext sizes are large

8 Advantages of P 2 KC It can reduce the encryption-key size Decrypter can identify the encrypter with no extra cost such as signing suited for low computational power applications Note: in order to prevent the replay attack it should be used in the framework of challenge-response It can be used with other PK reduction techniques

9 Pros and Cons of Niederreiter (McEliece) PKC Pros Underlying problem (syndrome decoding) is well studied Can be semantically secure (secure in a strong sense) Encryption is quite simple Mainly done with exclusive-or Suitable for low computational power devices, such as smart cards, sensors, cellular phones, RFIDs and so on whereas RSA, DH, ECC require multi-precision modular multiplication/exponentiation -> require coprocessors in such devices Con Encryption key size is huge -> P 2 KC gives one solution to this

10 Comparison between PKC and P 2 KC in Niederreiter scheme PKC: (n,k,t)=(2048,1795,23), i.e. n-k=253 P 2 KC: (DP,RT,a=0.044), i.e. n 1 =90 PKC: (n,k,t)=(2048,1630,38), i.e. n-k=418 P 2 KC: (DP,RT,a=0.042), i.e. n 1 =86

11 Attack Cost n: code length k: dimension of the code t: # of correctable errors

12 Core Idea of P 2 KC (1/2) Message Space of PKC First message Second message Third message Fourth message Assumption: messages are chosen at random so that they can be used to generate session keys

13 Core Idea of P 2 KC (2/2) P 2 KC limits the space and allocates it to each user Message Space of P 2 KC Message Space of P 2 KC for UserA Message Space of P 2 KC for UserB Message Space of P 2 KC for UserC Boundary is invisible for adversaries

14 Hard to distinguish whether the target ciphertexts belong to PKC or P 2 KC as long as the following hold: - (# of target ciphertexts) 2 << (message space of P 2 KC) - (# of PPKs)x(Attack cost after knowing PPK) is huge PKC P 2 KC Indistinguishable target ciphertexts PPK: Personalized-Public-Key Adversary

15 PKC and P 2 KC PKC={KeyGen(), Enc(), Dec()} P 2 KC 1 ={KeyGen(), Pers(), PEnc(), PDec(pv,)} Available when the decrypter knows the personalization vector pv P 2 KC 2 ={KeyGen(), Pers(), KEnc(pv,), KDec()} Available when the encrypter knows the personalization vector pv

16 KeyGen(): Keys for Niederreiter PKC accepts (n,k,t) generates secret-key sk generates public-key pk K P HS n n-k Parity-check matrix of Goppa code which can correct up to t-error bits and t Random Permutation Matrix Random Non- singular Matrix xx

17 Enc(): Encryption of Random Session-Key in Niederreiter PKC K Syndrome (0,1,0,0,1,0,... 0,0,1,0) accepts pk=(K,t) and msg outputs c T =K msg T Plaintext msg T n-dimentional vector of weight t or less Ciphertext c T = x

18 Dec(): Decryption in Niederreiter PKC accepts c and sk S -1 c T =H P msg T By applying the error-correction algorithm to S -1 c T, obtains a t or less bit error pattern (P msg T ) outputs msg T =P -1 (P msg T ) H P msg T = x S -1 cTcT P -1 P msg T x

19 Sketch of Personalization Message Space PK PPK for A PPK for B msg pv for A msg ’ pv for B PPK for C pv for C

20 Pers(): Personalization One Example c2c2 pv=(2, 1, 3, 1, 4, 0, 4, 1, 2, 3) =K =K 1 Sub=(3, 2, 2, 2) accepts pk=(K,t) and pv and then outputs ppk=(c 2,K 1,t,Sub) pv: Personalization Vector Sub: weight of each column n1n1

21 Pers(): Personalization Another Example c2c2 pv=(0, 2, 3, 2, 1, 4, 1, 3, 0, 4) =K =K 1 Sub=(2, 2, 2, 2) accepts pk=(K,t) and pv and then outputs ppk=(c 2,K 1,t,Sub) pv: Personalization Vector Sub: weight of each column n1n1

22 PKC and P 2 KC PKC={KeyGen(), Enc(), Dec()} P 2 KC 1 ={KeyGen(), Pers(), PEnc(), PDec(pv,)} Available when the decrypter knows the personalization vector pv P 2 KC 2 ={KeyGen(), Pers(), KEnc(pv,), KDec()} Available when the encrypter knows the personalization vector pv

23 Sketch of P 2 KC 1 where decrypter knows pv Message Space Encrypter knows PPK msg ’ PPK PK Decrypter knows msg and pv and hence can reconstruct msg ’ msg ’ PPK PK pv msg

24 Sketch of P 2 KC 2 where encrypter knows pv Message Space Decrypter can know msg msg PK Encrypter knows msg ’ and pv and hence can reconstruct msg msg ’ PPK PK pv msg

25 accepts ppk and msg ’ outputs c T =c 2 (+) K 1 msg ’ T PEnc(): Encryption in Niederreiter P 2 KC 1 Syndrome (0,1,0) Plaintext msg ’ T A vector of length n 1 whose weight is taken so that the total number of added columns should not exceed t Ciphertext c T = x Sub=(3, 2, 2, 2) c2c2 x

26 PDec(): Decryption in Niederreiter P 2 KC 1 accepts c, sk and the candidates for pv, e.g. pv 1 =(2, 1, 3, 1, 4, 0, 4, 1, 2, 3) pv 2 =(0, 2, 3, 2, 1, 4, 1, 3, 0, 4) decrypts c using Dec() and sk and obtains msg, e.g. msg=(0, 1, 1, 1, 0, 0, 0, 1, 0, 1) looks for pv being consistent with msg pv 1 is consistent in this case converts msg to msg' using the found pv msg ’ =(0, 1, 0)

27 accepts ppk and pv generates msg ’ at random c T =c 2 (+) K 1 msg ’ T outputs both c and ms=h(msg) KEnc(): Encryption in Niederreiter P 2 KC 2 (1,0,0) random msg ’ T x Sub=(3, 2, 2, 2) c2c2 Syndrome Ciphertext c T = pv=(2, 1, 3, 1, 4, 0, 4, 1, 2, 3) (1,1,0,1,0,0,0,1,1,0) msg T = converts msg ’ to msg using pv

28 KDec(): Decryption in Niederreiter P 2 KC 2 accepts c and sk decrypts c using Dec() and sk and then obtains msg outputs ms=h(msg)

29 It is possible define various P 2 KCs according to pv One of our recommendations is Random Trimming (RT) pv=(0, 0, 2, 0, 0, 3, 0, 0, 4, 0) =K =K 1 Sub=(0, 1, 1, 1) [a n] coordinates where 0 < a < 1

30 Security of Niederreiter PKC Theorem : Breaking OW-CPA and PDOW-CPA is NP- Complete under the assumption that c and K are indistinguishable from random ones. Breaking OW-CPA: Given c and pk, find msg Breaking PDOW-CPA: Given c and pk, find one (or some) coordinate(s) of msg If OW-CPA or PDOW-CPA holds, it is possible to construct a PKC meeting the strongest security notion IND-CCA2

31 Game0: Syndrome Decoding Problem (SDP) (NP-Complete) Given a syndrome s, a random parity- check matrix R and a small integer w, find its pre-image of hamming weight w or less Syndrome Random Matrix R (0,1,0,0,1,0,... 0,0,1,0) = x

32 Game1: Indistinguishability (Assumption) Syndrome Random Matrix R c K=SHP If we assume the indistinguishability of them, it is obvious from the form of the PKC and SDP that breaking OW-CPA of the Niederreiter PKC is equivalent to solving the SDP Remark: the most powerful distinguisher so far is the SSA (Support Splitting Algorithm). Hence the underlying code must be chosen so that it can resist against the SSA.

33 Security of P 2 KC P 2 KC gives constraints on the message by fixing some coordinates duplicating some coordinates If these constraints are invisible for adversaries, there is no difference between breaking PKC and breaking P 2 KC We show the invisibility by proving that the following problems are as hard as SDP

34 Given c and H, determine the i-th coordinate of msg. Game2: Decision One Coordinate Problem (DOCP) K c (0,1,0,0,1,0,... 0,0,1,0) = x ? i-th column

35 DOCP is as hard as SDP K c (0,1,0,0,1,0,... 0,0,1,0) = x ? i-th column since if this is possible one can recover all the bits of msg by changing c and H appropriately

36 Given two ciphertexts c and c ’ and H, determine whether the i-th coordinates of msg for c and c ’ are the same or not. Game3a: Decision Coordinate Equivalence Problem 1 (DCEP1) K c (0,1,0,1,0,... 1,0,0) = x i-th column ? K c’ (0,1,0,1,0,... 1,0,0) = x i-th column

37 DCEP1 is as hard as SDP K c (0,1,0,1,0,... 1,0,0) = x i-th column ? K c’ (0,1,0,1,0,... 1,0,0) = x i-th column since if this is possible one can recover all the bits of msg by creating c ’ from known pre- image This implies that it is hard to determine some coordinates in msg are fixed or not

38 Given c and H, determine whether the i- th and the j-th coordinates take the same value or not. Game3b: Decision Coordinate Equivalence Problem 2 (DCEP2) K c (0,1,0,0,1,0,... 0,0,1,0) = x ? i-th column j-th column

39 since if this is possible one can determine all the bits of msg by checking the equivalence for every j This implies that it is hard to determine whether some coordinates are duplicated or not DCEP2 is as hard as SDP K c (0,1,0,0,1,0,... 0,0,1,0) = x ? i-th column j-th column

40 Giving constraints on the message does not harm the cryptosystem basically But the following must be satisfied: (# of target ciphertexts) 2 << message space of the P 2 KC Otherwise adversaries can know the fact that message space is limited (though this does not imply the break of PKC) (# of candidate PPKs)x(Attack cost after knowing the PPK) must be huge Otherwise adversaries can apply exhaustive search on the personalization mechanism

41 One may define various P 2 KCs according to pv One of our recommendations is Random Trimming (RT) pv=(0, 0, 2, 0, 0, 3, 0, 4, 0, 0) =K =K 1 Sub=(0, 1, 1, 1) [a n] coordinates where 0 < a < 1

42 Comparison between Niederreiter PKC and P 2 KC PKC: (n,k,t)=(2048,1795,23), i.e. n-k=253 P 2 KC: (DP,RT,a=0.044), i.e. n 1 =90 PKC: (n,k,t)=(2048,1630,38), i.e. n-k=418 P 2 KC: (DP,RT,a=0.042), i.e. n 1 =86

43 Conclusion (1/2) Proposed new concept, P 2 KC P 2 KC 1 : when decrypter knows pv P 2 KC 2 : when encrypter knows pv Note: they do not need to share pv

44 Conclusion (2/2) P 2 KC can reduce the encryption-key size of a certain class of combinatorial PKCs where ciphertexts are given by the combination of public-key components according to the plaintexts both the public-key and plaintext sizes are large P 2 KC is suitable for low computational power devices such as smart cards, sensors, cellular phones, RFIDs and so on

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.